[Snort-users] ignore host for just a couple of rules, not all

Roeland Weve roeland at ...1415...
Fri Jun 15 03:50:48 EDT 2001


Is it possible to exclude some hosts for only one 
or two rules?
Now I have a ignore.rules file where some rules 
are defined where I exclude some 'trusted' hosts.
But I want to define some rules that only exclude 
trusted hosts for a couple of rules.
This is handy if you get to many false positives
from a host on one rule, like the rule

IDS297/http-directory-traversal1

that gives me 400 alerts from one host, because of some thing like
this:
47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C   GET /searchresul
74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F   t/../pix/nav/mo_
30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30   0_a.gif HTTP/1.0
0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:

I now exlude this host via:
pass tcp any any -> hostip 80

but a rule like:
pass 297,230 tcp any any -> hostip 80
would be better.
(where 297 and 230 are IDS alert numbers that must be ignored for that
host)

Idea for a new update or this already implemented?

Roeland




More information about the Snort-users mailing list